KRACK attack is especially bad news for Android and Linux users.

Share this story

Researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that was scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys, and other types of devices. The site warned that attackers can exploit the flaw to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol.

"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on," researcher Mathy Vanhoef, of the Katholieke Universiteit Leuven in Belgium wrote. "The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."

It shows the attacker decrypting all data the phone sends to the access point. The attack works by forcing the phone into reinstalling an all-zero encryption key, rather than the real key. This ability, which also works on Linux, makes the attack particularly effective on these platforms.

The site went on to warn that visiting only HTTPS-protected Web pages wasn't automatically a remedy against the attack, since many improperly configured sites can be forced into dropping encrypted HTTPS traffic and instead transmitting unencrypted HTTP data. In the video demonstration, the attacker uses a script known as SSLstrip to force the site match.com to downgrade a connection to HTTP. The attacker is then able to steal an account password when the Android device logs in.

The researcher went on to say that the weakness allows attackers to target both vulnerable access points as well as vulnerable computers, smartphones and other types of connecting clients, albeit with differing levels of difficulty and effectiveness. Neither Windows nor iOS are believed to be vulnerable to the most severe attacks. Linux and Android appear to be more susceptible, because attackers can force network decryption on clients in seconds with little effort.

Vanhoef said clients can be patched to prevent attacks even when connected to vulnerable access points. Linux patches have been developed, but it's not immediately clear when they will become available for various distributions and for Android users. Patches are also available for some but not all Wi-Fi access points.

In response to a FAQ item asking if the vulnerability signaled the need for a WPA3 standard, Vanhoef wrote:

No, luckily [WPA2] implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.

Further Reading

KRACK works by targeting the four-way handshake that's executed when a client joins a WPA2-protected Wi-Fi network. Among other things, the handshake helps to confirm that both the client and access points have the correct credentials. KRACK tricks the vulnerable client into reinstalling an already-in-use key. The reinstallation forces the client to reset packet numbers containing a cryptographic nonce and other parameters to their initial values. KRACK forces the nonce reuse in a way that allows the encryption to be bypassed. Ars Technica IT editor Sean Gallagher has much more about KRACK here.

Monday's disclosure follows an advisory the US CERT recently distributed to about 100 organizations described the research this way:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

Researchers briefed on the vulnerabilities said they are indexed as: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088. One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities.

The vulnerability is likely to pose the biggest threat to large corporate and government Wi-Fi networks, particularly if they accept connections from Linux and Android devices. And once again, attackers must be within Wi-Fi range of a vulnerable access point or client to pull off the attacks. Home Wi-Fi users are vulnerable, too, again especially if they connect with Linux or Android devices, but there are likely easier ways they can be attacked. Researcher and Errata Security CEO Rob Graham has useful information and analysis here.

Microsoft on Monday posted an advisory here that explains the conditions that are necessary for attackers to exploit vulnerable Windows machines. The company issued an update during last week's Patch Tuesday release that fixes the problem. Windows users who have yet to install the patch should do so right away. Microsoft's advisory said even when patched, affected Windows system may offload vulnerable WPA2 functionality to installed Wi-Fi hardware when devices enter low-power standby modes. To fully protect themselves, users should also install new Wi-Fi device drivers if available, in addition to the Windows fix.

If possible, people with vulnerable access points and clients should avoid using Wi-Fi until patches are available and instead use wired connections. When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell, and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points. As a fall-back users should consider using a virtual private network as an added safety measure, but users are reminded to choose their VPN providers carefully, since many services can't be trusted to make users more secure.

Post updated to add details from researchers.

Promoted Comments

Note that HTTPS is designed to work over an untrusted channel, such as Wi-Fi with no encryption or Wi-Fi with broken encryption. So long as you don't ignore those HTTPS cert validation warnings, you can browse as safely as before.

The same can't be said about other networked protocols; their security is highly variable. Obviously HTTP is extra screwed now.

The most screwed thing, though, is private networks such as the one in most homes. They are no longer private until patched. Better start by turning off password-less file sharing and hope for the best...

Have to give a big thumbs-up to Mikrotik here - could not ask for a better vendor response to this.

I read this story a couple of hours after publication, headed over to the Mikrotik forums to check whether my devices were vulnerable... and discovered that Mikrotik had quietly addressed this two weeks ago and my APs were all already patched against it :-).

Quote:

On October 16. CERT/CC/ICASI released a public announcement about discovered vulnerabilities in WPA2 handshake protocols that affect most WiFi users and all vendors world wide. RouterOS v6.39.3, v6.40.4, v6.41rc are not affected!It is important to note that the vulnerability is discovered in the protocol itself, so even a correct implementation is affected. These organizations did contact us earlier, so we have already released fixed versions that address the outlined issues. Not all of the discovered vulnerabilities directly impact RouterOS users, or even apply to RouterOS, but we did follow all recommendations and improved the key exchange process according to the guidelines we received from the organizations who discovered the issue. We released fixed versions last week, so if you upgrade your devices routinely, no further action is required.CWE-323CVE-2017-13077CVE-2017-13078CVE-2017-13079CVE-2017-13080CVE-2017-13081CVE-2017-13082CVE-2017-13083CVE-2017-13084CVE-2017-13085CVE-2017-13086CVE-2017-13087

WEP is dead, WPA2 is crackable, what other options are there for consumer WiFi?

I knew there was a reason I kept all those Ethernet patch cables.

Serioso, I guess it means banking, etc., must be done with wired connections, or maybe cellular. Last week I was feeling sheepish about all the Ethernet cable I installed in my home in 2009. I'm feeling better now.

Jesus. Between that, Blueborne and the dnsmasq vulns, I'm now the proud owner of one of the most pwnable phones in existence today.If confirmed I feel this will have lasting consequences for the security of small businesses too.

I've held the opinion for a while that "wireless encryption" has been a bad idea, because it causes people (mostly network admins, but also homeowners) to believe that somehow, wireless is secure.

We had WEP - Wired Equivalent Privacy. Which turned out to be accurately named - it was about as secure as a wired network - on hubs. With a few ports exposed to anyone who happened to want to plug in. Whoops.

Crypto is hard, but you can create theoretically solid crypto. Implementations, especially where the entire medium can be attacker controlled, seem to be basically impossible to get right. Especially in consumer hardware that's sold and never updated (see cell phones).

Whoops. Your optimization leaks key material based on timing. Whoops. Your algorithm leaks key material based on power use and the ringing of power supply inductors. Whoops. Your algorithm leaks state through the branch predictor. These are all implementation details that have served to leak what is, on paper, perfectly solid crypto algorithms.

A while back, there were some attacks against WPS (the "here's a number to join a network" version, if I recall properly) that were, again, an implementation detail. An 8 digit number was processed as two 4 digit chunks, each separately brute forceable. Whoops.

If we'd left wireless wide open, at least people would have reasons to put extra layers under it - because it's obviously not secure. With WEP/WPA/etc, it's far, far worse. It's the illusion of a secure connection, when none (apparently) exists. Whoops!

This should be an interesting one to follow. I'll definitely check in tomorrow morning. I don't doubt that it's just as bad as it sounds. And, if I had to guess, I'd wager that this isn't news at all to the type of people you'd really rather not go snooping around your corporate networks.

When CERT says something as strong as this:

Quote:

Note that as protocol-level issues, most or all correct implementations of the standard will be affected.

WEP is dead, WPA2 is crackable, what other options are there for consumer WiFi?

I knew there was a reason I kept all those Ethernet patch cables.

Serioso, I guess it means banking, etc., must be done with wired connections, or maybe cellular. Last week I was feeling sheepish about all the Ethernet cable I installed in my home in 2009. I'm feeling better now.

No. If your bank is sending clear text over connections then this exploit will reveal the transactions. If they're doing that then you shouldn't be using that bank since they don't give a sh*t about security.

Your banking transactions should still be secure, assuming your bank isn't incompetent. However, things like home automation controls that assume security if you're on the same subnet... those will be open to attack or remote control.

I've held the opinion for a while that "wireless encryption" has been a bad idea,

That, along with most of the rest of your post, is completely nonsense. There is a grain of truth to it, but your conclusions are completely wrong. Spreading them dangerous. If you tell non-technical friends and family that there is no point encryption their networks because "they can be hacked and doesn't do any good" that is recklessly irresponsible.

We should be having secure protocols underneath the encrypted wireless, not instead of it. We should have secure DNS, we should have encryption for DHCP, we should have better firewall configurations on wireless access points, and we should have the best encryption we can get on wireless. The idea that if you don't encrypt the network layer that all the other layers will magically have perfect encryption is crazy. You want defense in depth.

I've held the opinion for a while that "wireless encryption" has been a bad idea,

That, along with most of the rest of your post, is completely nonsense. There is a grain of truth to it, but your conclusions are completely wrong. Spreading them dangerous. If you tell non-technical friends and family that there is no point encryption their networks because "they can be hacked and doesn't do any good" that is recklessly irresponsible.

We should be having secure protocols underneath the encrypted wireless, not instead of it. We should have secure DNS, we should have encryption for DHCP, we should have better firewall configurations on wireless access points, and we should have the best encryption we can get on wireless. The idea that if you don't encrypt the network layer that all the other layers will magically have perfect encryption is crazy. You want defense in depth.

And we don't have those because the physical layer encryption was regarded as solid.

Even DNSSEC, as commonly implemented, is to the domain name server on the network, not to the end machines. They rely on a response with the "totally legit response trust me!" bit set.

Seems like the IEEE 802.11 standards bodies have some answering to do. I suspect that with appropriately paranoid security experts making the standards this should have been preventable. First they messed up WEP, then WPA, now WPA2. Can get we get some new protocol designers in there for WPA3?

WEP is dead, WPA2 is crackable, what other options are there for consumer WiFi?

I knew there was a reason I kept all those Ethernet patch cables.

Serioso, I guess it means banking, etc., must be done with wired connections, or maybe cellular. Last week I was feeling sheepish about all the Ethernet cable I installed in my home in 2009. I'm feeling better now.

Your banking transactions should still be secure, assuming your bank isn't incompetent. However, things like home automation controls that assume security if you're on the same subnet... those will be open to attack or remote control.

Keep in mind that it may be possible to hijack DHCP and DNS. So they could capture /MitM any traffic. So even encrypted websites that don't use certificate pinning may be vulnerable if the attacker can get some CA to issue a bogus certificates. Hopefully your bank uses certificate pinning, but there are still plenty of sites that don't.

To be honest with the quick demise of WEP and WPA I was quite surprised that WPA2 lasted as long as it did without publicly known exploits. Seems a whole lot of gadgets now insecure and will never be updated.

[And we don't have those because the physical layer encryption was regarded as solid.

No, we don't have them because they are hard. Way harder to get right than encrypted wireless. But you somehow think that by not encrypting wireless we would have several other encryption technologies universally deployed all with *no weaknesses*. Given the difficulty getting even the relatively simple job of securing access to a network, expecting that those other technologies would work makes no sense. And seriously: if you share this "idea" with your non-technical friends: Stop. You are part of the problem.

To be honest with the quick demise of WEP and WPA I was quite surprised that WPA2 lasted as long as it did without publicly known exploits. Seems a whole lot of gadgets now insecure and will never be updated.

So this vulnerability allows the sniffing of data between a wi-fi router and a connected device. Does that mean it by definition also allows the attacker to see the password and gain access to the internet through the router?

It's relatively straightforward to avoid sending sensitive data over wi-fi but I'm also concerned that a malicious individual with access to my router could make me legally liable for illegal content accessed through my connection, like monitored copyrighted material and child pornography.

WEP is dead, WPA2 is crackable, what other options are there for consumer WiFi?

I knew there was a reason I kept all those Ethernet patch cables.

Serioso, I guess it means banking, etc., must be done with wired connections, or maybe cellular. Last week I was feeling sheepish about all the Ethernet cable I installed in my home in 2009. I'm feeling better now.

Newsflash - cellular ain't secure.

Come to think of it, do stingray devices basically let the police Wireshark everyone in range?

WEP is dead, WPA2 is crackable, what other options are there for consumer WiFi?

I knew there was a reason I kept all those Ethernet patch cables.

Serioso, I guess it means banking, etc., must be done with wired connections, or maybe cellular. Last week I was feeling sheepish about all the Ethernet cable I installed in my home in 2009. I'm feeling better now.

This hack is a big deal BUT a public service reminder: HTTPS does not depend on the wi-fi being secure! The wi-fi networking you are using can be compromised, and HTTPS is designed to punch through that and still contact your bank securely. Surprising but true. If your browser gives you a "this certificate does not match the domain" you can be extra suspicious, but if the domain is right and you see the lock icon, you are fine no matter how bad wi-fi is. The HTTPS design accounts for this exact networking scenario.

If eavesdropping or hijacking scenarios turn out to be easy to pull off, people should avoid using Wi-Fi whenever possible until a patch or mitigation is in place.

I've never really trusted wireless signals, because of precisely this sort of scenario, plus the fact that you can't restrict access. Anyone with a good antenna and a strong radio can attack you, potentially even from miles away, given a good line of sight.

But, you can't really have a network these days without wireless. So what I've done for myself is to separate my router/firewall and my access point. I put the access point on a separate, untrusted network segment, and give it no special access into my main systems. I also put my game consoles and any other device I don't fully control onto that separate network.

Now, multiple networks is not an easy setup to write firewall rules for. I have three internal networks (trusted, wireless, DMZ), and the rules involved get really, really snarly. This is not a very workable solution for amateurs, but if you know what you're doing, and don't mind building yourself a Linux firewall (or using a router that gives you equivalent, fine-grain access to per-interface firewall rules), this is a good way to help limit the damage from flaws like this.

Because I already assume my wireless devices are hacked, them actually being hacked means that this isn't an emergency and I don't have to instantly do anything about it. I'll certainly look into replacing the router if, as I assume, Apple doesn't patch the problem (it's an older, but high-end Airport, so maybe they will), but I don't have to do anything right this second.

Network segmentation is not an easy solution, but it's very effective.

Every encryption scheme eventually fails for some reason or another and the 10 or so years WPA2 has been around is a pretty good run. It's not that WPA2 was totally uncrackable before, just that with a complex and unique password it might as well have been.

For anyone who thinks "this will never happen to me" – a few months ago I discovered my neighbours had logged onto my wifi network. They had half a dozen devices on my network when I discovered it.

I don't know how they got in, but I factory reset the router and changed the password to something stronger (alphanumeric with mixed case and symbols instead of the hexadecimal password that came pre-configired from the factory). It appears to have worked.

Fortunately a few months earlier I was in a tin foil hat mood and placed an additional ethernet only nat router in my office, so they shouldn't have had any access to my workstation or home server.

One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities.

According to UBNT, firmware version 3.9.3.7537 (covers all APs) has the security fix, and it has been released though I'm not sure it's been actively pushed to all controllers yet. Currently the misc "security improvements" covers it until the official CVE release. Painless immediate upgrades of all equipment across all managed sites is certainly pleasant but never more so then when there's a critical security issue. This one certainly sounds like a doozy though.

FWIW, everyone should really give at least some thought to running through a VPN at all times when out in public anyway. Neither public WiFi nor even cellular should be considered trustworthy, or at least not fully trustworthy. Out on the go a minor latency increase is usually worth having an extra layer between you and any mass data vacuums. If you're lucky enough to have a decent home internet connection (50/50 or better say) then simply tunneling home may be good enough (and free, beyond setup time). Alternately if you're even mildly technically minded consider getting yourself (if you don't already have one) a cheap $2-5 VPS instance at DigitalOcean of OVH or whatever and setting up an instance of Algo. Unlike a commercial VPN it will be under your control, at a vendor with an actual SLA, you can tear it down and bring back up elsewhere trivially, you won't share an IP with a bunch of randoms, and it'll even generate profiles to make deployment to devices easy (both yours and any family/friends you want to take care of).

Note that sharing an IP is actually a very good idea, from a data logging and privacy perspective. If there are hundreds of people connected to a VPN, determining exactly which traffic is yours would be harder.

I've been thinking for a long time that having a constant data flow to endpoints would be even better. As is, someone with taps in the right places (eg, the highly motivated NSA) will be able to correlate inflows of encrypted packets from your systems with flows of unencrypted packets out from that VPN host. It'll be harder to prove that traffic is yours, but far from impossible.

But, say the VPN solution always sent data, no matter what. Each side could be constantly sending, say, a megabit of random noise, all nicely encrypted. Then, as you sent and received real traffic, it could be mixed into the random stream, so correlating unencrypted outbound packets with your specific inbound ones would be very, very difficult.

Downside: this would be enormously more expensive to support, so this kind of service would cost a lot more, and would peak at much slower speeds. And it would only be useful on servers where they had many guests, all sharing the same outbound IP address. But I think it would give you a really strong level of privacy.

To be honest with the quick demise of WEP and WPA I was quite surprised that WPA2 lasted as long as it did without publicly known exploits. Seems a whole lot of gadgets now insecure and will never be updated.

Hopefully having one end of a connection updated is enough to at least break the connection if suspicious key reuse is detected. Unfortunately that still leaves billions of devices unlikely to get patched in a timely manner.

For anyone who thinks "this will never happen to me" – a few months ago I discovered my neighbours had logged onto my wifi network. They had half a dozen devices on my network when I discovered it.

I don't know how they got in, but I factory reset the router and changed the password to something stronger (alphanumeric with mixed case and symbols instead of the hexadecimal password that came pre-configired from the factory). It appears to have worked.

Fortunately a few months earlier I was in a tin foil hat mood and placed an additional ethernet only nat router in my office, so they shouldn't have had any access to my workstation or home server.

Lucky guess at your username and password?

I was able to do that once. I lost my internet and for a lark i tried logging into my neighbours wi-fi with default username/pw (which was admin/admin) no luck, so i tried their last name and 7 digit phone number, no luck, tried last name and last 4 digits of phone # and success! Was on their network for almost 2 years, had full access to their printer (never messed with it, but could have ) Apple TV,( not sure if i could have done anything there.) and something called Sherri's Computer. ( didn't even want to know and didn't go there eather.)

Also worth remembering that WPA lacks forward secrecy since apparently nobody ever informed the designers of WiFi about the cutting edge 1977 research that was Diffie–Hellman–Merkle. If attackers get the psk that's it not just for future traffic but anything they recorded in the past. Seriously, tunnel through something else for anything sensitive. Or for everything really.

Note that sharing an IP is actually a very good idea, from a data logging and privacy perspective. If there are hundreds of people connected to a VPN, determining exactly which traffic is yours would be harder.

I respectfully but firmly disagree. If you need anonymity, use Tor+their hardened browser (and maybe additional layers, and practice opsec, and basically realize what a very hard problem it is). Commercial VPNs give no equivalent assurances on privacy. A shared IP will make a lot of web browsing unpleasant, may catch you up in some other trouble if said commercial VPN is compromised (or a honey pot, or under surveillance order, or who knows), etc. I think it's more likely too as it's an obvious centralized point gate for a lot of people. The purpose of a VPN is either secure access to localized network resources over WAN as if you were on the LAN, or secure virtual net entry point shifting. It can do both of these things very well. It is not for privacy, except to the extent that you can shut out basic actors between you and your chosen end point. Trying to use it as an inferior tor/i2p/freenet/whatever bandaid is frankly dangerous.